Akeyless SCP
Akeyless SCP enables secure copy via Secure Remote Access Bastion.
Note:
Akeyless SCP currently supports only UNIX-like OS.
Prerequisite
-
Akeyless Secure Remote Access Bastion.
-
OpenSSH V7.3 or higher on target servers.
Usage
- Download Akeyless SCP script:
curl -o akeyless-scp https://download.akeyless.io/Akeyless_Artifacts/Linux/SSH/akeyless-scp
chmod +x akeyless-scp
mv akeyless-scp /usr/local/bin
- Create your ~/.akeyless-sphere.rc :
# ---------------------------------------------------------------------
# Copyright © 2021 Akeyless Security LTD.
#
# All rights reserved
# ----------------------------------------------------------------------
#
# This file is a user-specific configuration file for akeyless-sphere Zero Trust Access
# it should be located in user home directory named .akeyless-sphere.rc
#
# identity_file - the path to the ssh-key to be signed and used for Zero Trust session (if empty, default ssh-key is used)
identity_file=""
# cert_issuer_name - full path to the Akeyless SSH Cert Issuer to use for Zero Trust session
cert_issuer_name=""
# profile - Akeyless CLI profile to be used
profile="default"
# Akeyless CLI binary (if needed)
AKEYLESS_CLI=akeyless
# AKEYLESS_API_GW - URL for Akeyless API Gateway (RestAPI)
AKEYLESS_API_GW=""
# Following are used for control service, to configure the temporary session:
# ${BASTION_API_PROTO_}://"${BASTION_API_PREFIX_}${JB_SRV_}${BASTION_API_PATH_}":"${BASTION_API_PORT_}
#
BASTION_API_PREFIX_=""
BASTION_API_PATH_=""
BASTION_API_PROTO_=http
BASTION_API_PORT_=9900
# Allow caching of temp session creds
SESSION_CACHING=no
# Display connection stages
DISPLAY_STAGES=yes
# Use SSH Agent to store user's identity keys.
USE_SSH_AGENT=yes
The latest version of this file can be found in Akeyless official artifacts.
Set the following settings as follow:
CERT_ISSUER_NAME - Full path to the Akeyless SSH Certificates Issuer item.
AKEYLESS_PROFILE - Set the default profile that will be used from your Akeyless Command Line Interface (CLI). By default, it's using the default profile of your Akeyless CLI.
AKEYLESS_GW_REST_API - Set your Akeyless Gateway URL on port 8080 for Zero-Knowledge items and for internal network access.
BASTION_API_PROTO - Default is http. Set to https when your Secure Remote Access Bastion is configured with TLS.
BASTION_API_PORT - Default is set to 9900. Set your matching ssh-sra cluster service port.
BASTION_SSH_PORT - Default is set to 22. Set your matching ssh-sra cluster service port.
Optional when working with Load Balancers, you can set the exact FQDN of your ssh-sra service, which listens to the bastion api control port:
BASTION_API_PREFIX - Set your FQDN prefix as your load balancer settings.
BASTION_API_PATH - Set your FQDN path as your load balancer settings.
Where the URL will be set as follow:
${BASTION_API_PROTO}://"${BASTION_API_PREFIX}${BASTION_HOST}${BASTION_API_PATH}":"${BASTION_API_PORT}
- Use akeyless-SCP command to perform secure copy to remote target server via Akeyless Secure Remote Access Bastion:
Full options list:
Usage: /usr/local/bin/akeyless-scp <[email protected][:port]> via <bastion-server[:port]> [options]
optional arguments:
--cert-issuer-name Akeyless certificate issuer name [mandatory]
--local-file File to copy [mandatory]
--remote-file File to copy [default is '~/']
--direction upload/download [default is 'upload']
--profile Use a specific profile from your Akeyless CLI
-i Selects a file from which the identity (private key) for public key authentication is read [default is '~/.ssh/id_rsa']
--ssh-extra-args Use to add offical SSH arguments (except -i)
For example, this command will start to copy a local file, to a remote server.
akeyless-scp [email protected] via <sra-bastion-ssh-service> --local-file /full/local/location/file --remote-file /remote/location/file
Updated 3 months ago